Full Member from CA

joined:Feb 7, 2017
posts: 330
votes: 23

My host provider had emailed me stating that DDOS attacks were so common that they were forced to install special anti-DDOS software, and that my patience was appreciated. Due to DDOS attacks website response times were longer than they should be.

Unfortunately for DDOS attacks the IP could be spoofed/fake, or it could be a zombie PC/phone. You'll be very lucky if you get a UA you can lock onto. I usually have no such luck. The bot writers are smarter than that.

Are you using https? Https might help or slow down the attack, as it should try to authenticate the IP, which may or may not authenticate.

Senior Member

joined:Dec 19, 2004
posts:819
votes: 10

Hi, yes I am still checking the access-logs during that time stamp but nothing so far. My mistake since I don't have the experience is that I enabled the "under attack" cloudflare mode and the attacks stopped. I didn't scan the accesslogs in realtime.

So I have the old access logs with me and will ask my sys admin to examine the logs carefully.

Yes graeme_p the attack seems to be spawning more than one php process. How do I fix this?

A DDoS (Distributed Denial of Service) attack is a specific event. Just because your server may be experiencing a heavy load, or a UA is hitting your server at a fast rate causing you scripting to create additional instances, doesn't meant it is a DDoS.

DDoS attacks, while more common than in previous years, are rare. These attacks are usually launched against service providers or large companies for specific reasons and even more rarely are launched against one website.

Senior Member from GB

Low CPU and low requests per second relative to the number of requests being processed is an indication of slow loris.

Incidentally, if you just look at access logs and requests per second, slow loris could look like multiple processes per request, in that you would see lots of processes relative to the number of requests in the logs in either case.

The next question is whether there is any good reason you are spawning multiple processes per request.

Senior Member

joined:Dec 19, 2004
posts:819
votes: 10

Hi, my setup was not spawning multiple processes per request. The attack happened and all of a sudden in the top command result, I saw entire page with "PHP" processes. The site crawled then and was not responding.

So as it is a past event, how do I mitigate this type of behavior? Please assist. Thanks!

Administrator

joined:Aug 10, 2004
posts:11293
votes: 135

It is certainly possible that a PHP process could spawn other subprocesses. This could be a problem with the PHP script rather than the server itself. You should navigate all the parent / child relationships in that process list to understand the process hierarchy that occurs under the Apache process (usually httpd).